Bug 504060
| Summary: | m2crypto does not handle subjectAltName having non DNS:xxx entries. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Jim Pirzyk <jim+redhat> |
| Component: | m2crypto | Assignee: | Miloslav Trmač <mitr> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.5 | CC: | rlerch, sgrubb, zmraz |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
the M2Crypto SSL certificate checker incorrectly rejected
certificates with a subjectAltName extension that did not contain a host
name. M2Crypto now uses the certificate subject field instead of
subjectAltName if subjectAltName does not contain a host name.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-09-02 11:19:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 513501 | ||
Thanks for your report. If you are a RHEL customer and have an active support entitlement, please contact official Red Hat Support at https://www.redhat.com/apps/support/ to allow correct prioritization of this issue. (Related upstream report: https://bugzilla.osafoundation.org/show_bug.cgi?id=9605 ) Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: the M2Crypto SSL certificate checker incorrectly rejected certificates with a subjectAltName extension that did not contain a host name. M2Crypto now uses the certificate subject field instead of subjectAltName if subjectAltName does not contain a host name. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-1351.html The package does not solve the problem.
rpm -q m2crypto
m2crypto-0.16-6.el5.3
yum check-update
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirror.ipnode.info
* rpmforge: fr2.rpmfind.net
* base: updates.interworx.info
* updates: mirror.skiplink.com
* addons: mirror.sanctuaryhost.com
* extras: mirror.anl.gov
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in ?
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 229, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 104, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 339, in doCommands
self._getTs(needTsRemove)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs
self._getTsInfo(remove_only)
File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo
pkgSack = self.pkgSack
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 592, in <lambda>
pkgSack = property(fget=lambda self: self._getSacks(),
File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 435, in _getSacks
self.repos.populateSack(which=repos)
File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in populateSack
sack.populate(repo, mdtype, callback, cacheonly)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 160, in populate
if self._check_db_version(repo, mydbtype):
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 217, in _check_db_version
return repo._check_db_version(mdtype)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1119, in _check_db_version
repoXML = self.repoXML
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1277, in <lambda>
repoXML = property(fget=lambda self: self._getRepoXML(),
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1269, in _getRepoXML
self._loadRepoXML(text=self)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1259, in _loadRepoXML
return self._groupLoadRepoXML(text, ["primary"])
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1243, in _groupLoadRepoXML
if self._commonLoadRepoXML(text):
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1094, in _commonLoadRepoXML
result = self._getFileRepoXML(local, text)
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 887, in _getFileRepoXML
cache=self.http_caching == 'all')
File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 744, in _getFile
http_headers=headers,
File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in urlgrab
return self._mirror_try(func, url, kw)
File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in _mirror_try
return func_ref( *(fullurl,), **kwargs )
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in urlgrab
return self._retry(opts, retryfunc, url, filename)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in _retry
r = apply(func, (opts,) + args, {})
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in retryfunc
fo = URLGrabberFileObject(url, filename, opts)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in __init__
self._do_open()
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in _do_open
fo, hdr = self._make_request(req, opener)
File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in _make_request
fo = opener.open(req)
File "/usr/lib64/python2.4/urllib2.py", line 358, in open
response = self._open(req, data)
File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
'_open', req)
File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
result = func(*args)
File "/usr/lib64/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in https_open
h.request(req.get_method(), req.get_full_url(), req.data, headers)
File "/usr/lib64/python2.4/httplib.py", line 810, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.4/httplib.py", line 833, in _send_request
self.endheaders()
File "/usr/lib64/python2.4/httplib.py", line 804, in endheaders
self._send_output()
File "/usr/lib64/python2.4/httplib.py", line 685, in _send_output
self.send(msg)
File "/usr/lib64/python2.4/httplib.py", line 652, in send
self.connect()
File "/usr/lib64/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect
self.sock.connect((self.host, self.port))
File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in __call__
fieldName='subjectAltName')
M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.tusk.tufts.edu, got email:tuskdev.edu
The erratum contains m2crypto-0.16-6.el5.6, not ... el5.3. Can you retest with ...el5.6, please? Sorry about that, user error. Mistook the -6 for being the el5.6. Pinged CentOS to push this package out. |
Description of problem: Version-Release number of selected component (if applicable): 0.16-6.el5.3 How reproducible: All the time Steps to Reproduce: 1. Get a SSL Certificate from IPSca for a yum repository 2. Setup the yum repository 3. Configure RHEL client to connect to the yum repository Actual results: Traceback (most recent call last): File "/usr/bin/yum", line 29, in ? yummain.user_main(sys.argv[1:], exit_code=True) File "/usr/share/yum-cli/yummain.py", line 229, in user_main errcode = main(args) File "/usr/share/yum-cli/yummain.py", line 104, in main result, resultmsgs = base.doCommands() File "/usr/share/yum-cli/cli.py", line 339, in doCommands self._getTs(needTsRemove) File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 101, in _getTs self._getTsInfo(remove_only) File "/usr/lib/python2.4/site-packages/yum/depsolve.py", line 112, in _getTsInfo pkgSack = self.pkgSack File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 591, in <lambda> pkgSack = property(fget=lambda self: self._getSacks(), File "/usr/lib/python2.4/site-packages/yum/__init__.py", line 434, in _getSacks self.repos.populateSack(which=repos) File "/usr/lib/python2.4/site-packages/yum/repos.py", line 251, in populateSack sack.populate(repo, mdtype, callback, cacheonly) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 159, in populate if self._check_db_version(repo, mydbtype): File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 216, in _check_db_version return repo._check_db_version(mdtype) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 966, in _check_db_version repoXML = self.repoXML File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1124, in <lambda> repoXML = property(fget=lambda self: self._getRepoXML(), File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1116, in _getRepoXML self._loadRepoXML(text=self) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1106, in _loadRepoXML return self._groupLoadRepoXML(text, ["primary"]) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 1090, in _groupLoadRepoXML if self._commonLoadRepoXML(text): File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 941, in _commonLoadRepoXML result = self._getFileRepoXML(local, text) File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 812, in _getFileRepoXML cache=self.http_caching == 'all') File "/usr/lib/python2.4/site-packages/yum/yumRepo.py", line 687, in _getFile http_headers=headers, File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 412, in urlgrab return self._mirror_try(func, url, kw) File "/usr/lib/python2.4/site-packages/urlgrabber/mirror.py", line 398, in _mirror_try return func_ref( *(fullurl,), **kwargs ) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 934, in urlgrab return self._retry(opts, retryfunc, url, filename) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 852, in _retry r = apply(func, (opts,) + args, {}) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 920, in retryfunc fo = URLGrabberFileObject(url, filename, opts) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1008, in __init__ self._do_open() File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1091, in _do_open fo, hdr = self._make_request(req, opener) File "/usr/lib/python2.4/site-packages/urlgrabber/grabber.py", line 1200, in _make_request fo = opener.open(req) File "/usr/lib/python2.4/urllib2.py", line 358, in open response = self._open(req, data) File "/usr/lib/python2.4/urllib2.py", line 376, in _open '_open', req) File "/usr/lib/python2.4/urllib2.py", line 337, in _call_chain result = func(*args) File "/usr/lib/python2.4/site-packages/M2Crypto/m2urllib2.py", line 66, in https_open h.request(req.get_method(), req.get_full_url(), req.data, headers) File "/usr/lib/python2.4/httplib.py", line 810, in request self._send_request(method, url, body, headers) File "/usr/lib/python2.4/httplib.py", line 833, in _send_request self.endheaders() File "/usr/lib/python2.4/httplib.py", line 804, in endheaders self._send_output() File "/usr/lib/python2.4/httplib.py", line 685, in _send_output self.send(msg) File "/usr/lib/python2.4/httplib.py", line 652, in send self.connect() File "/usr/lib/python2.4/site-packages/M2Crypto/httpslib.py", line 47, in connect self.sock.connect((self.host, self.port)) File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 159, in connect if not check(self.get_peer_cert(), self.addr[0]): File "/usr/lib/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 86, in __call__ fieldName='subjectAltName') M2Crypto.SSL.Checker.WrongHost: Peer certificate subjectAltName does not match host, expected repo.tusk.tufts.edu, got email:tuskdev.edu Expected results: Successfully connecting to the yum repository Additional info: According to the m2crypto comments in the code, it should only check against the subjectAltName if the entry starts with DNS:, but it does not look like the python code checks for it. # subjectAltName=DNS:somehost[, ...]* try: subjectAltName = peerCert.get_ext('subjectAltName').get_value() if not self._splitSubjectAltName(self.host, subjectAltName): raise WrongHost(expectedHost=self.host, actualHost=subjectAltName, fieldName='subjectAltName') hostValidationPassed = True Here is the SSL certificate information: Certificate: Data: Version: 3 (0x2) Serial Number: 64562 (0xfc32) Signature Algorithm: sha1WithRSAEncryption Issuer: C=ES, ST=Barcelona, L=Barcelona, O=IPS Certification Authority s.l., O=general C.I.F. B-B62210695, OU=ipsCA CLASEA1 Certification Authority, CN=ipsCA CLASEA1 Certification Authority/emailAddress=general Validity Not Before: May 14 15:55:30 2009 GMT Not After : May 14 15:55:30 2011 GMT Subject: C=US, ST=Massachusetts, L=Boston, O=Tufts University, OU=TUSK, CN=repo.tusk.tufts.edu/emailAddress=tuskdev.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): 00:9e:00:5d:c0:f8:e6:5b:cb:e3:ba:a6:f0:5f:4c: 3b:bd:5c:49:dc:92:2f:47:ef:bf:d9:aa:8b:ac:87: 77:cd:1a:74:7a:2f:da:a3:6e:ae:53:9c:54:e8:2b: 25:ef:1c:c5:96:5c:24:6a:3f:07:a7:c9:ef:c8:1c: d3:c8:e3:b5:93 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Key Identifier: BF:0E:C2:87:9F:5D:F3:CE:3C:FA:9D:3F:2A:F4:AA:3E:1A:67:32:A1 X509v3 Authority Key Identifier: keyid:0E:07:60:D4:39:C9:1B:5B:5D:90:7B:23:C8:D2:34:9D:4A:9A:46:39 X509v3 Subject Alternative Name: email:tuskdev.edu X509v3 Issuer Alternative Name: email:general Netscape Comment: Organization Information NOT VALIDATED. CLASEA1 Server Certificate issued by https://www.ipsca.com/ Netscape Base Url: https://www.ipsca.com/ipsca2002/ Netscape CA Revocation Url: https://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl Netscape Revocation Url: https://www.ipsca.com/ipsca2002/revocationCLASEA1.html? Netscape Renewal Url: https://www.ipsca.com/ipsca2002/renewalCLASEA1.html? Netscape CA Policy Url: https://www.ipsca.com/ipsca2002/policyCLASEA1.html X509v3 CRL Distribution Points: URI:http://www.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl URI:http://wwwback.ipsca.com/ipsca2002/ipsca2002CLASEA1.crl Authority Information Access: OCSP - URI:http://ocsp.ipsca.com/ Signature Algorithm: sha1WithRSAEncryption 3d:0a:7d:b5:31:64:2b:17:a8:d6:a3:df:ea:8d:1b:ab:b3:06: c3:c2:9c:f9:ab:d1:3c:a9:ec:60:c8:2d:f4:e7:50:26:4d:f0: 5b:34:96:d2:d3:98:34:46:71:fe:3a:fd:c5:e6:c6:00:86:e8: 2d:46:73:28:51:c0:60:64:f9:56:d0:44:11:d1:87:82:76:fd: 63:89:9d:32:ce:32:75:30:c2:fb:61:3f:62:45:cb:95:65:c7: 21:e2:63:4b:7e:89:ca:b7:96:0f:30:8b:17:af:cb:97:84:45: a7:c7:b4:00:81:83:59:a6:32:7e:9b:b2:e6:1a:4e:20:0b:4e: af:b8 -----BEGIN CERTIFICATE----- MIIGKzCCBZSgAwIBAgIDAPwyMA0GCSqGSIb3DQEBBQUAMIIBEjELMAkGA1UEBhMC RVMxEjAQBgNVBAgTCUJhcmNlbG9uYTESMBAGA1UEBxMJQmFyY2Vsb25hMSkwJwYD VQQKEyBJUFMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgcy5sLjEuMCwGA1UEChQl Z2VuZXJhbEBpcHNjYS5jb20gQy5JLkYuICBCLUI2MjIxMDY5NTEuMCwGA1UECxMl aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEuMCwGA1UEAxMl aXBzQ0EgQ0xBU0VBMSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEgMB4GCSqGSIb3 DQEJARYRZ2VuZXJhbEBpcHNjYS5jb20wHhcNMDkwNTE0MTU1NTMwWhcNMTEwNTE0 MTU1NTMwWjCBpjELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMx DzANBgNVBAcTBkJvc3RvbjEZMBcGA1UEChMQVHVmdHMgVW5pdmVyc2l0eTENMAsG A1UECxMEVFVTSzEcMBoGA1UEAxMTcmVwby50dXNrLnR1ZnRzLmVkdTEmMCQGCSqG SIb3DQEJARYXdHVza2RldkBlbGlzdC50dWZ0cy5lZHUwXDANBgkqhkiG9w0BAQEF AANLADBIAkEAngBdwPjmW8vjuqbwX0w7vVxJ3JIvR++/2aqLrId3zRp0ei/ao26u U5xU6Csl7xzFllwkaj8Hp8nvyBzTyOO1kwIDAQABo4IDOjCCAzYwCQYDVR0TBAIw ADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgP4MBMGA1UdJQQMMAoGCCsG AQUFBwMBMB0GA1UdDgQWBBS/DsKHn13zzjz6nT8q9Ko+GmcyoTAfBgNVHSMEGDAW gBQOB2DUOckbW12QeyPI0jSdSppGOTAiBgNVHREEGzAZgRd0dXNrZGV2QGVsaXN0 LnR1ZnRzLmVkdTAcBgNVHRIEFTATgRFnZW5lcmFsQGlwc2NhLmNvbTByBglghkgB hvhCAQ0EZRZjT3JnYW5pemF0aW9uIEluZm9ybWF0aW9uIE5PVCBWQUxJREFURUQu IENMQVNFQTEgU2VydmVyIENlcnRpZmljYXRlIGlzc3VlZCBieSBodHRwczovL3d3 dy5pcHNjYS5jb20vMC8GCWCGSAGG+EIBAgQiFiBodHRwczovL3d3dy5pcHNjYS5j b20vaXBzY2EyMDAyLzBDBglghkgBhvhCAQQENhY0aHR0cHM6Ly93d3cuaXBzY2Eu Y29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDBGBglghkgBhvhCAQME ORY3aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9yZXZvY2F0aW9uQ0xB U0VBMS5odG1sPzBDBglghkgBhvhCAQcENhY0aHR0cHM6Ly93d3cuaXBzY2EuY29t L2lwc2NhMjAwMi9yZW5ld2FsQ0xBU0VBMS5odG1sPzBBBglghkgBhvhCAQgENBYy aHR0cHM6Ly93d3cuaXBzY2EuY29tL2lwc2NhMjAwMi9wb2xpY3lDTEFTRUExLmh0 bWwwgYMGA1UdHwR8MHowOaA3oDWGM2h0dHA6Ly93d3cuaXBzY2EuY29tL2lwc2Nh MjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDA9oDugOYY3aHR0cDovL3d3d2JhY2su aXBzY2EuY29tL2lwc2NhMjAwMi9pcHNjYTIwMDJDTEFTRUExLmNybDAyBggrBgEF BQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmlwc2NhLmNvbS8wDQYJ KoZIhvcNAQEFBQADgYEAPQp9tTFkKxeo1qPf6o0bq7MGw8Kc+avRPKnsYMgt9OdQ Jk3wWzSW0tOYNEZx/jr9xebGAIboLUZzKFHAYGT5VtBEEdGHgnb9Y4mdMs4ydTDC +2E/YkXLlWXHIeJjS36JyreWDzCLF6/Ll4RFp8e0AIGDWaYyfpuy5hpOIAtOr7g= -----END CERTIFICATE-----